We live in a data-driven economy, with enterprises large and small collecting data for a host of reasons, whether that be streamlining business practices, improving customer experience, or storing sensitive information. However, this does not come without problems. Organizations today working with extensive data sets are undoubtedly challenged with managing that data in a secure way.
The threat from malware attacks, hackers and any potential data breaches are also on the rise, especially in the last few months where the global pandemic and ensuing lockdown forced businesses and their employees online.
Bad actors love this new reality, with an increased attack surface to prey upon. The combined challenge of secure data management, regulatory compliance and protecting against data harm or unlawful data access is significant for any data owner or security professional.
One important aspect in facing this challenge is actively reducing your organization’s data footprint. There is a common mindset that all data collected is important and should be stored, but storing data beyond its intended end-of-life increases the risk of that data causing problems.
Just as important as having efficient processes to store and manage data, organizations need to codify their data retention policy – in turn actively reducing their data footprint. Data beyond retention periods, temporary copies, data processed in home offices and inadequately managed data are just some examples of why there needs to be an active analysis around data end-of-life.
These examples are exacerbated in our current working climate, with many organizations facing novel issues with employees working from home and accessing sensitive data - external from a core server or storage unit.
Get your retention in order
For any organization that is concerned about data security, an up-to-date data retention program should be baked into their overall data management policy. No longer are data retention programs the sole responsibility of IT departments or data specialists, they need to be understood and practiced as standard, companywide.
Regulatory compliance is a collective goal and best practice data retention is an excellent route to achieving it. Of course, for organizations where the option is viable, hiring a data protection officer to handle your data management policy including data retention will ensure regulatory compliance. For many however, this is not an option and the responsibility instead falls to all employees.
A comprehensive data retention program must be about more than just retention; it must cover the full data erasure process for redundant, obsolete, or trivial (ROT) data to a regulatory compliant standard, with auditable processes throughout. Of course, the crux of a data retention program is to categories data sets into what must be retained and protected for specific periods, and what must be erased.
Organizations also need to consider the legal implication of how data sets, or sensitive documents, should be categorized. What happens if sensitive data sets migrate across categories? As a file reaches the end of its required retention period, should it be reassessed or erased immediately? These are issues which vary between organizations and your retention policy should reflect your unique collection of data. If these issues are considered in the original policy, they won’t cause problems in the future.
Sanitize for security
The business value of storing data indefinitely must be weighed against the risk of losing control over it – the latter will often come up trumps. From a cybersecurity perspective, to state the matter plainly: information that has been appropriately and permanently erased cannot be stolen by bad actors.
Neither malware nor an attacker can recreate or access properly erased data from an IT asset - even if a successful intrusion has occurred. Maintaining data security is an ongoing process and a mixture of many necessary components, but active data erasure is one aspect that is essential.
Finally, it’s important to recognize that in this “new normal”, remote working environment, that employee’s habits will have changed, and employees working remotely may have relaxed their approach to data management. It is likely that sensitive company data will be saved to a home desktop and employees will also likely be interfacing with cloud-based workspaces.
The split between local and remote storage can cause a headache for data management and security, but it’s important that organizations and employees know how to actively clean up this environment. Complete regular audits of company data, tracking and accounting for all data exchanged between a remote workforce. Education in best practice data sanitization is key to ensuring these new workspaces do not lead to a leak or breach. New tools like remote erasure solutions should be explored - you must adapt to the new environment, or risk leaving data exposed.
So, when looking to reduce your organization’s data footprint proactively and securely, firstly you must define your data retention policy. This involves deciding what information must be retained (for legal, regulatory, and business purposes) and for how long, and alternatively what data should be erased. Secondly, you must track all data from creation to end-of-life with full audit trail. This is a continuous process that cannot be neglected.
Finally, upon end-of-life or at the end of the data retention period, all data should be subject to secure and auditable data erasure. Reduce your organizations data footprint and you subsequently reduce the risk of a data breach, improving your overall cybersecurity.